Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

7.2. 对 Red Hat Fuse 应用程序应用补丁

patch-maven-plugin 的目的是,将 Red Hat Fuse BOM 中列出的依赖项版本更新至您要应用到应用程序的补丁元数据中指定的版本。

流程

以下流程解释了如何将补丁应用到您的应用程序。

  1. patch-maven-plugin 添加到项目的 pom.xml 文件中。patch-maven-plugin 的版本必须与 Fuse BOM 的版本相同。 

    <build>
    <plugins>
        <plugin>
            <groupId>org.jboss.redhat-fuse</groupId>
            <artifactId>patch-maven-plugin</artifactId>
            <version>${version.org.jboss-redhat-fuse}</version>
            <extensions>true</extensions>
        </plugin>
    </plugins>
</build>
    Copy to Clipboard Toggle word wrap

  2. 当您运行任何 mvn clean deploymvn dependency:tree 命令时,插件会搜索项目模块,以检查是否使用其中一个 Red Hat Fuse BOM。只有 2 视为受支持的 BOM:

    • org.jboss.redhat-fuse:fuse-karaf-bom: 用于 Fuse Karaf BOM
    • org.jboss.redhat-fuse:fuse-springboot-bom: for Fuse Spring Boot BOM

  3. 如果没有找到上述 BOMs,则插件会显示以下信息: 

    $ mvn clean install
[INFO] Scanning for projects...
[INFO]

========== Red Hat Fuse Maven patching ==========

[INFO] [PATCH] No project in the reactor uses Fuse Karaf or Fuse Spring Boot BOM. Skipping patch processing.
[INFO] [PATCH] Done in 3ms
    Copy to Clipboard Toggle word wrap

  4. 如果同时找到了 Fuse BOMs,则 patch-maven-plugin 会停止并带有以下警告: 

    $ mvn clean install
[INFO] Scanning for projects...
[INFO]

========== Red Hat Fuse Maven patching ==========

[WARNING] [PATCH] Reactor uses both Fuse Karaf and Fuse Spring Boot BOMs. Please use only one. Skipping patch processing.
[INFO] [PATCH] Done in 3ms
    Copy to Clipboard Toggle word wrap

  5. patch-maven-plugin 尝试获取以下 Maven 元数据值之一。

    • 对于 Fuse Karaf BOM 的项目,将解决 org.jboss.redhat-fuse/fuse-karaf-patch-metadata/maven-metadata.xml。这是带有 org.jboss.redhat-fuse:fuse-karaf-patch-metadata:RELEASE 协调的工件的元数据。

    • 对于 Fuse Spring Boot BOM 项目的项目,则已解析 org.jboss.redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml。这是带有 org.jboss.redhat-fuse:fuse-springboot-patch-metadata:RELEASE 协调的工件的元数据。

      Maven 生成的元数据示例

      <?xml version="1.0" encoding="UTF-8"?>
<metadata>
  <groupId>org.jboss.redhat-fuse</groupId>
  <artifactId>fuse-springboot-patch-metadata</artifactId>
  <versioning>
    <release>7.8.1.fuse-sb2-781025</release>
    <versions>
      <version>7.8.0.fuse-sb2-780025</version>
      <version>7.7.0.fuse-sb2-770010</version>
      <version>7.7.0.fuse-770010</version>
      <version>7.8.1.fuse-sb2-781025</version>
    </versions>
    <lastUpdated>20201023131724</lastUpdated>
  </versioning>
</metadata>
      Copy to Clipboard Toggle word wrap

  6. patch-maven-plugin 解析元数据以选择适用于当前项目的版本。这只适用于使用 Fuse BOM 版本 7.8.xxx 的 Maven 项目。只有与版本范围 7.8、7.7 或更高版本匹配的元数据才适用,且只会获取元数据的最新版本。

  7. patch-maven-plugin 收集在下载由 groupIdartifactIdversion 标识的补丁元数据时使用的远程 Maven 存储库列表。这些 Maven 存储库是活跃配置集的 < repositories> 元素中列出的它们,以及来自 settings.xml 文件的软件仓库。 

    $ mvn clean install
[INFO] Scanning for projects...
[INFO]

========== Red Hat Fuse Maven patching ==========

[INFO] [PATCH] Reading patch metadata and artifacts from 2 project repositories
[INFO] [PATCH]  - local-nexus: http://everfree.forest:8081/repository/maven-releases/
[INFO] [PATCH]  - central: https://repo.maven.apache.org/maven2
Downloading from local-nexus: http://everfree.forest:8081/repository/maven-releases/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml
...
    Copy to Clipboard Toggle word wrap

  8. 另外,如果您想要使用离线存储库,您可以使用 -Dpatch 选项指定由 fuse-karaf/fuse-karaf-patch-repository 生成的 ZIP 文件,或 fuse-springboot/ fuse-springboot /fuse-springboot-patch- repository 模块。这些 ZIP 文件具有与 Maven 存储库结构相同的内部结构。例如, 

    $ mvn clean install -Dpatch=../../../test/resources/patch-3.zip
[INFO] Scanning for projects...
[INFO]

========== Red Hat Fuse Maven patching ==========

[INFO] [PATCH] Reading metadata and artifacts from /data/sources/github.com/jboss-fuse/redhat-fuse/fuse-tools/patch-maven-plugin/src/test/resources/patch-3.zip
Downloading from fuse-patch: zip:file:/tmp/patch-3.zip-1742974214598205745/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml
Downloaded from fuse-patch: zip:file:/tmp/patch-3.zip-1742974214598205745/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml (406 B at 16 kB/s)
Downloading from fuse-patch: zip:file:/tmp/patch-3.zip-1742974214598205745/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/7.8.0.fuse-sb2-781023/fuse-springboot-patch-metadata-7.8.0.fuse-sb2-781023.xml
Downloaded from fuse-patch: zip:file:/tmp/patch-3.zip-1742974214598205745/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/7.8.0.fuse-sb2-781023/fuse-springboot-patch-metadata-7.8.0.fuse-sb2-781023.xml (926 B at 309 kB/s)
[INFO] [PATCH] Resolved patch descriptor: /home/user/.m2/repository/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/7.8.0.fuse-sb2-781023/fuse-springboot-patch-metadata-7.8.0.fuse-sb2-781023.xml
...
    Copy to Clipboard Toggle word wrap

  9. 元数据是否来自远程存储库、本地存储库或 ZIP 文件,它由 patch-maven-plugin 分析。获取的元数据包含 CVE 以及每个 CVE,我们都有受影响的 Maven 工件(由 glob 模式和版本范围指定)的列表以及包含给定 CVE 修复的版本。例如, 

    <?xml version="1.0" encoding="UTF-8" ?>

<metadata xmlns="urn:redhat:fuse:patch-metadata:1">
    <product-bom groupId="org.jboss.redhat-fuse" artifactId="fuse-springboot-bom" versions="[7.8,7.9)" />
    <cves>
        <cve id="CVE-2020-xyz" description="Jetty can be configured to listen on port 8080"
                cve-link="https://nvd.nist.gov/vuln/detail/CVE-2020-xyz"
                bz-link="https://bugzilla.redhat.com/show_bug.cgi?id=42">
            <affects groupId="org.eclipse.jetty" artifactId="jetty-*" versions="[9.4,9.4.32)" fix="9.4.32.v20200930" />
            <affects groupId="org.eclipse.jetty.http2" artifactId="http2-*" versions="[9.4,9.4.32)" fix="9.4.32.v20200930" />
        </cve>
    </cves>
    <fixes />
</metadata>
    Copy to Clipboard Toggle word wrap

  10. 最后,当迭代当前项目中所有管理的依赖关系时,会参考补丁元数据中指定的修复列表。这些与匹配的依赖项(及受管依赖关系)被更改为固定版本。例如: 

    $ mvn clean install -U
[INFO] Scanning for projects...
[INFO

========== Red Hat Fuse Maven patching ==========

[INFO] [PATCH] Reading patch metadata and artifacts from 2 project repositories
[INFO] [PATCH]  - local-nexus: http://everfree.forest:8081/repository/maven-releases/
[INFO] [PATCH]  - central: https://repo.maven.apache.org/maven2
Downloading from local-nexus: http://everfree.forest:8081/repository/maven-releases/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml
Downloading from central: https://repo.maven.apache.org/maven2/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml
Downloaded from local-nexus: http://everfree.forest:8081/repository/maven-releases/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml (363 B at 4.3 kB/s)
[INFO] [PATCH] Resolved patch descriptor: /home/user/.m2/repository/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/7.8.0.fuse-sb2-780032/fuse-springboot-patch-metadata-7.8.0.fuse-sb2-780032.xml
[INFO] [PATCH] Patch metadata found for org.jboss.redhat-fuse/fuse-springboot-bom/[7.8,7.9)
[INFO] [PATCH]  - patch contains 1 CVE fix
[INFO] [PATCH] Processing managed dependencies to apply CVE fixes... (https://nvd.nist.gov/vuln/detail/CVE-2020-xyz, https://bugzilla.redhat.com/show_bug.cgi?id=42_
[INFO] [PATCH] - CVE-2020-xyz: Jetty can be configured to expose itself on port 8080
[INFO] [PATCH]   Applying change org.eclipse.jetty/jetty-*/[9.4,9.4.32) -> 9.4.32.v20200930
[INFO] [PATCH]    - managed dependency: org.eclipse.jetty/jetty-alpn-client/9.4.30.v20200611 -> 9.4.32.v20200930
...
[INFO] [PATCH]    - managed dependency: org.eclipse.jetty/jetty-openid/9.4.30.v20200611 -> 9.4.32.v20200930
[INFO] [PATCH]   Applying change org.eclipse.jetty.http2/http2-*/[9.4,9.4.32) -> 9.4.32.v20200930
[INFO] [PATCH]    - managed dependency: org.eclipse.jetty.http2/http2-client/9.4.30.v20200611 -> 9.4.32.v20200930
...
[INFO] [PATCH] Done in 635ms

=================================================
    Copy to Clipboard Toggle word wrap

跳过补丁

如果您不想将特定的补丁应用到项目,则 patch-maven-plugin 提供了一个 跳过 选项。假设您已经将 patch-maven-plugin 添加到项目的 pom.xml 文件,并且您不希望修改版本,您可以使用以下方法之一跳过补丁。

  • 将 skip 选项添加到您的项目的 pom.xml 文件中,如下所示: 
<build>
    <plugins>
        <plugin>
            <groupId>org.jboss.redhat-fuse</groupId>
            <artifactId>patch-maven-plugin</artifactId>
            <version>${version.org.jboss-redhat-fuse}</version>
            <extensions>true</extensions>
            <configuration>
                <skip>true</skip>
            </configuration>
        </plugin>
    </plugins>
</build>
Copy to Clipboard Toggle word wrap
  • 或者在运行 mvn 命令时使用 -DskipPatch 选项,如下所示: 
$ mvn dependency:tree -DskipPatch
[INFO] Scanning for projects...
[INFO]
[INFO] ------< org.jboss.redhat-fuse:cve-dependency-management-module1 >-------
[INFO] Building cve-dependency-management-module1 7.8.0.fuse-sb2-780033
[INFO] --------------------------------[ jar ]---------------------------------
...
Copy to Clipboard Toggle word wrap

如上方输出中所示,未调用 patch-maven-plugin,这会导致不会应用到应用的补丁。

返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat